Why Cyber Budgets Need to Become Dynamic, Not Annual Guesswork

The annual budget cycle is one of the most deeply embedded rituals of corporate governance. It disciplines expenditure, creates accountability, and provides a planning horizon that aligns with how most organisations think about their financial year. For the majority of operational spending, it is a reasonable model. For cyber security investment in the current environment, it is increasingly inadequate in ways that have direct implications for board-level governance.

The problem is not the existence of an annual budget. It is the assumption embedded in that budget: that the threat environment, the organisation's risk exposure, and the effectiveness of existing controls will remain broadly stable over a twelve-month period. That assumption has never been entirely sound in cyber security, but the pace of change in the threat landscape — driven by AI, by the commoditisation of offensive tools, and by the increasing sophistication of state-sponsored actors targeting commercial organisations — has made it untenable.

Boards that approved a cyber budget in September based on a threat assessment from July are making allocation decisions on the basis of a picture that may be materially out of date before the money is spent. The governance question is not whether to have a budget, but whether the budget process is agile enough to respond to a threat environment that moves faster than the planning cycle.

How the fixed-budget model fails in practice

The failure modes of fixed annual cyber budgets cluster around three patterns. The first is the investment gap: a material threat emerges or an organisation's risk exposure changes significantly mid-year, but there is no mechanism to allocate additional resource without a lengthy internal approval process that takes weeks at minimum and months more typically. In a threat environment where the window between vulnerability disclosure and active exploitation can be measured in days, that lag has operational consequences.

The second failure mode is strategic misallocation. Annual budgets are typically constructed by reference to the previous year's spend, adjusted for inflation and any specific initiatives agreed in the planning cycle. This backward-looking model means that investment tends to continue flowing to areas that were prioritised when the budget was set, rather than to areas where risk has subsequently increased. The result is a portfolio that looks reasonably well-balanced on the day the budget is approved and increasingly misaligned with actual risk by the time the year closes.

The third failure mode is the metric problem. Fixed budgets tend to generate fixed metrics: spend against budget, headcount against plan, projects delivered against committed programme. These metrics measure budget compliance, not risk reduction. A security function that has spent exactly its budget and delivered every committed project may have improved its position relative to the previous year, or it may have been standing still while the threat environment moved ahead of it. The annual budget framework provides no natural mechanism for distinguishing between these two outcomes.

What a dynamic investment model looks like

A dynamic cyber investment model does not abandon the annual budget. It supplements it with two mechanisms that the fixed model lacks: a threat-responsive allocation reserve and a risk-linked review cadence.

The threat-responsive reserve. A proportion of the cyber investment budget — typically between ten and twenty percent, depending on the sector and the organisation's risk profile — is held as a deployable reserve rather than pre-allocated to specific programmes at the start of the year. This reserve can be drawn on when a material threat emerges, a significant vulnerability is identified, or the organisation's risk exposure changes in ways that were not anticipated during planning. The governance mechanism for deploying the reserve should be clearly defined: who can authorise deployment, at what thresholds, and with what reporting obligations to the board. This is not a blank cheque. It is a pre-authorised response capability.

The risk-linked review cadence. Quarterly budget reviews should be structured around the current risk picture rather than the plan established at year start. This requires the CISO to present a current threat assessment alongside the financial update, to identify any areas where the investment allocation is misaligned with current risk, and to propose adjustments where warranted. Boards that receive this framing are in a position to make genuinely informed decisions about whether current spending reflects current risk. Boards that receive only a financial update against plan are not.

The governance shift this requires is less dramatic than it sounds. It does not require abandoning financial discipline or creating an open-ended commitment to incremental spending. It requires building a mechanism for the investment portfolio to adapt to a changing environment, and creating a board-level review process that evaluates investment against risk outcomes rather than budget compliance. Organisations that make this shift consistently report that it improves the quality of the board's cyber engagement and increases the CISO's ability to make a credible case for investment when circumstances change.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises boards on cyber investment strategy, governance frameworks, and how to build investment models that respond to a dynamic threat environment.